Details

Abstract

A challenge in deploying end-to-end encrypted messaging is that it prevents the service provider from identifying abusive or threatening messages and taking punitive action against parties that send them. In this talk we study message franking, recently proposed by Facebook as a way to overcome this challenge. Message franking enables verifiable reporting of abusive messages sent in end-to-end encrypted Facebook Messenger conversations. First, we will describe a vulnerability that achieves a full bypass of message franking by exploiting its use of Galois/Counter mode (GCM) for encrypting attachments: a sender can craft an abusive message that the receiver cannot report as abusive. We recently disclosed this vulnerability to Facebook and were awarded a bug bounty for it. To prevent such flaws from reoccurring, we introduce a new cryptographic primitive which captures the security goals of message franking: compactly committing authenticated encryption (ccAE), an authenticated encryption scheme where a short portion of the ciphertext is a commitment to the underlying plaintext. We will conclude by presenting a fast ccAE scheme called HFC and showing its efficiency is essentially optimal via lower bounds from blockcipher-based hashing.

Bio

Paul Grubbs is a third-year PhD student at Cornell Tech, advised by Tom Ristenpart. His research is in applied cryptography and security. He is the recipient of a 2017 NSF Graduate Research Fellowship.